VulnerableCode Package Details - pkg:maven/org.apache.logging.log4j/log4j@2.12.2

Search for packages

Vulnerability	Summary	Fixed by
VCID-8977-tjss-w7ba Aliases: CVE-2021-45046 GHSA-7rjr-3q55-vv33	Incomplete fix for Apache Log4j vulnerability The fix to address [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228) in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a remote code execution (RCE) attack.	2.12.3 Affected by 0 other vulnerabilities. 2.17.0 Affected by 0 other vulnerabilities.
VCID-mz9r-j78c-dfe3 Aliases: CVE-2020-9488 GHSA-vwqq-5vrc-xw9h	Improper validation of certificate with host mismatch in Apache Log4j SMTP appender prior to version 2.13.2. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.	2.12.3 Affected by 0 other vulnerabilities. 2.13.2 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-8977-tjss-w7ba
Aliases:
CVE-2021-45046
GHSA-7rjr-3q55-vv33

Incomplete fix for Apache Log4j vulnerability The fix to address [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228) in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a remote code execution (RCE) attack.

2.12.3
Affected by 0 other vulnerabilities.

2.17.0
Affected by 0 other vulnerabilities.

VCID-mz9r-j78c-dfe3
Aliases:
CVE-2020-9488
GHSA-vwqq-5vrc-xw9h

Improper validation of certificate with host mismatch in Apache Log4j SMTP appender prior to version 2.13.2. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.

2.12.3
Affected by 0 other vulnerabilities.

2.13.2
Affected by 2 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-jwav-88m7-6fhz	Remote code injection in Log4j Log4j versions prior to 2.16.0 are subject to a remote code execution vulnerability via the ldap JNDI parser. As per [Apache's Log4j security guide](https://logging.apache.org/log4j/2.x/security.html): Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.16.0, this behavior has been disabled by default. Log4j version 2.15.0 contained an earlier fix for the vulnerability, but that patch did not disable attacker-controlled JNDI lookups in all situations. For more information, see the `Updated advice for version 2.16.0` section of this advisory.	CVE-2021-44228 GHSA-jfh8-c2jp-5v3q

Vulnerability

Summary

Aliases

VCID-jwav-88m7-6fhz

Remote code injection in Log4j Log4j versions prior to 2.16.0 are subject to a remote code execution vulnerability via the ldap JNDI parser. As per [Apache's Log4j security guide](https://logging.apache.org/log4j/2.x/security.html): Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.16.0, this behavior has been disabled by default. Log4j version 2.15.0 contained an earlier fix for the vulnerability, but that patch did not disable attacker-controlled JNDI lookups in all situations. For more information, see the `Updated advice for version 2.16.0` section of this advisory.

CVE-2021-44228
GHSA-jfh8-c2jp-5v3q

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T21:36:27.025058+00:00	GitLab Importer	Affected by	VCID-8977-tjss-w7ba	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.logging.log4j/log4j/CVE-2021-45046.yml	38.4.0
2026-04-16T21:36:20.868223+00:00	GitLab Importer	Fixing	VCID-jwav-88m7-6fhz	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.logging.log4j/log4j/CVE-2021-44228.yml	38.4.0
2026-04-16T21:02:51.313514+00:00	GitLab Importer	Affected by	VCID-mz9r-j78c-dfe3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.logging.log4j/log4j/CVE-2020-9488.yml	38.4.0
2026-04-11T22:50:08.727801+00:00	GitLab Importer	Affected by	VCID-8977-tjss-w7ba	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.logging.log4j/log4j/CVE-2021-45046.yml	38.3.0
2026-04-11T22:50:02.123607+00:00	GitLab Importer	Fixing	VCID-jwav-88m7-6fhz	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.logging.log4j/log4j/CVE-2021-44228.yml	38.3.0
2026-04-11T22:14:14.176424+00:00	GitLab Importer	Affected by	VCID-mz9r-j78c-dfe3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.logging.log4j/log4j/CVE-2020-9488.yml	38.3.0
2026-04-02T22:59:33.193547+00:00	GitLab Importer	Affected by	VCID-8977-tjss-w7ba	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.logging.log4j/log4j/CVE-2021-45046.yml	38.1.0
2026-04-02T22:59:27.304679+00:00	GitLab Importer	Fixing	VCID-jwav-88m7-6fhz	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.logging.log4j/log4j/CVE-2021-44228.yml	38.1.0
2026-04-02T22:26:35.122782+00:00	GitLab Importer	Affected by	VCID-mz9r-j78c-dfe3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.logging.log4j/log4j/CVE-2020-9488.yml	38.1.0
2026-04-01T17:18:16.885605+00:00	GitLab Importer	Affected by	VCID-8977-tjss-w7ba	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.logging.log4j/log4j/CVE-2021-45046.yml	38.0.0
2026-04-01T16:44:30.721291+00:00	GitLab Importer	Affected by	VCID-mz9r-j78c-dfe3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.logging.log4j/log4j/CVE-2020-9488.yml	38.0.0
2026-04-01T12:49:09.847031+00:00	GitLab Importer	Fixing	VCID-jwav-88m7-6fhz	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.logging.log4j/log4j/CVE-2021-44228.yml	38.0.0